From 0892519dbafcdc6a4c24204f64bb49f49418937e Mon Sep 17 00:00:00 2001 From: Sameer <142401625+sameer6pre@users.noreply.github.com> Date: Tue, 10 Mar 2026 17:40:25 +0800 Subject: [PATCH 01/10] Update sample-vuln/test.py in branch Precogs-fix-5kqi2b08 --- sample-vuln/test.py | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 sample-vuln/test.py diff --git a/sample-vuln/test.py b/sample-vuln/test.py new file mode 100644 index 0000000..acfacda --- /dev/null +++ b/sample-vuln/test.py @@ -0,0 +1,13 @@ + +# ❌ 3. Command injection +def list_files(user_path: str) -> str: + import os + # PRECOGS_FIX: avoid shell use and rely on filesystem APIs to prevent command injection + try: + entries = [] + with os.scandir(user_path) as it: + for e in it: + entries.append(e.name) + return "\n".join(entries) + except Exception as exc: + return f"Error: {exc}" \ No newline at end of file From dc64b9f3dc33bc0413bf4370e5102875d0475817 Mon Sep 17 00:00:00 2001 From: Sameer <142401625+sameer6pre@users.noreply.github.com> Date: Wed, 11 Mar 2026 12:40:21 +0530 Subject: [PATCH 02/10] Update test.py --- test.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test.py b/test.py index 5f99ebe..45775aa 100644 --- a/test.py +++ b/test.py @@ -5,7 +5,7 @@ import subprocess import yaml import requests - +cdsac # ❌ 1. Hard-coded secret SECRET_KEY = "my_super_secret_key_123456" From e25fbe8f44b51faba4ec30c81e8b82a6fd4475e0 Mon Sep 17 00:00:00 2001 From: Sameer <142401625+sameer6pre@users.noreply.github.com> Date: Wed, 11 Mar 2026 13:06:37 +0530 Subject: [PATCH 03/10] Update test.py --- test.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/test.py b/test.py index 45775aa..05168f3 100644 --- a/test.py +++ b/test.py @@ -5,8 +5,7 @@ import subprocess import yaml import requests -cdsac - +asdf # ❌ 1. Hard-coded secret SECRET_KEY = "my_super_secret_key_123456" From 80e099d50eba269341ff62c2fe8efe320cd926cb Mon Sep 17 00:00:00 2001 From: Sameer <142401625+sameer6pre@users.noreply.github.com> Date: Wed, 11 Mar 2026 13:14:01 +0530 Subject: [PATCH 04/10] Update test.py --- test.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test.py b/test.py index 05168f3..5f3f9d4 100644 --- a/test.py +++ b/test.py @@ -5,7 +5,7 @@ import subprocess import yaml import requests -asdf +asdfasfd # ❌ 1. Hard-coded secret SECRET_KEY = "my_super_secret_key_123456" From 6d12685cac9ea3e1141c67dfb3ab3efe847bcc5b Mon Sep 17 00:00:00 2001 From: Sameer <142401625+sameer6pre@users.noreply.github.com> Date: Wed, 11 Mar 2026 15:12:02 +0530 Subject: [PATCH 05/10] Update test.py --- test.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/test.py b/test.py index 5f3f9d4..83325f6 100644 --- a/test.py +++ b/test.py @@ -5,8 +5,7 @@ import subprocess import yaml import requests -asdfasfd -# ❌ 1. Hard-coded secret + SECRET_KEY = "my_super_secret_key_123456" From e86d8901b77533a98c4351a3b44bd6545c365733 Mon Sep 17 00:00:00 2001 From: Sameer <142401625+sameer6pre@users.noreply.github.com> Date: Wed, 11 Mar 2026 15:42:23 +0530 Subject: [PATCH 06/10] Update app.py --- app.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/app.py b/app.py index 91a12e2..e4cc989 100644 --- a/app.py +++ b/app.py @@ -5,6 +5,8 @@ from flask import Flask, request app = Flask(__name__) +app = Flask(__name__) + API_KEY = "SUPER_SECRET_API_KEY_12345" From 44d22600db71b730469886e759c3d1ba3ba26797 Mon Sep 17 00:00:00 2001 From: Sameer <142401625+sameer6pre@users.noreply.github.com> Date: Wed, 11 Mar 2026 15:50:40 +0530 Subject: [PATCH 07/10] Update app.py --- app.py | 1 - 1 file changed, 1 deletion(-) diff --git a/app.py b/app.py index e4cc989..5206b97 100644 --- a/app.py +++ b/app.py @@ -5,7 +5,6 @@ from flask import Flask, request app = Flask(__name__) -app = Flask(__name__) API_KEY = "SUPER_SECRET_API_KEY_12345" From d0ea36c0f8053a25ff8310262da1508714e5d967 Mon Sep 17 00:00:00 2001 From: Sameer <142401625+sameer6pre@users.noreply.github.com> Date: Wed, 11 Mar 2026 15:59:13 +0530 Subject: [PATCH 08/10] Update app.py --- app.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app.py b/app.py index 5206b97..04ccbc2 100644 --- a/app.py +++ b/app.py @@ -5,7 +5,7 @@ from flask import Flask, request app = Flask(__name__) - +d API_KEY = "SUPER_SECRET_API_KEY_12345" From 6a5b0862e7e82bf3a7bbce01e18a1dbeea86f036 Mon Sep 17 00:00:00 2001 From: Sameer <142401625+sameer6pre@users.noreply.github.com> Date: Thu, 12 Mar 2026 10:59:10 +0530 Subject: [PATCH 09/10] Update test.py --- test.py | 65 --------------------------------------------------------- 1 file changed, 65 deletions(-) diff --git a/test.py b/test.py index 83325f6..8b13789 100644 --- a/test.py +++ b/test.py @@ -1,66 +1 @@ -import os -import hashlib -import pickle -import random -import subprocess -import yaml -import requests -SECRET_KEY = "my_super_secret_key_123456" - - -# ❌ 2. Weak password hashing (MD5) -def hash_password(password: str) -> str: - return hashlib.md5(password.encode()).hexdigest() - - -# ❌ 3. Command injection -def list_files(user_path: str) -> str: - # User input directly concatenated into shell command - cmd = f"ls -la {user_path}" - return subprocess.getoutput(cmd) - - -# ❌ 4. Insecure deserialization (RCE risk) -def load_user_data(data: bytes): - # Untrusted pickle loading - return pickle.loads(data) - - -# ❌ 5. Path traversal -def read_file(filename: str) -> str: - # No validation on filename - with open(filename, "r") as f: - return f.read() - - -# ❌ 6. Unsafe YAML loading -def parse_yaml(data: str): - # yaml.load without safe_load - return yaml.load(data, Loader=yaml.Loader) - - -# ❌ 7. Insecure random token -def generate_token() -> str: - # random is not cryptographically secure - return "".join(str(random.randint(0, 9)) for _ in range(16)) - - -# ❌ 8. SSRF-style HTTP request -def fetch_internal_url(url: str): - # User-controlled URL used in backend request - return requests.get(url, timeout=5).text - - -# ❌ 9. Dangerous eval -def calculate(expression: str): - # Remote code execution risk - return eval(expression) - - -# ❌ 10. Weak file permissions -def save_file(filename: str, content: str): - with open(filename, "w") as f: - f.write(content) - # World-writable permission - os.chmod(filename, 0o777) From d6553799462018dc15c993afda4ce23efdd225b9 Mon Sep 17 00:00:00 2001 From: Sameer <142401625+sameer6pre@users.noreply.github.com> Date: Thu, 12 Mar 2026 21:56:54 +0530 Subject: [PATCH 10/10] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 93bf501..21c4dac 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ s jh cdsav - jb + kjhbvljhv wfewqfd